PlushDaemon Hijacks Routers for Supply Chain Attacks
ESET researchers have uncovered a sophisticated supply chain attack orchestrated by a China-aligned threat group known as PlushDaemon. This group is leveraging compromised network routers to surreptitiously redirect legitimate software update requests from victim systems to their own malicious servers. The core of this operation involves an implant dubbed EdgeStepper, which resides on the hacked routers, enabling the redirection of update traffic.
The definition of this attack highlights a critical vulnerability: a small foothold in a single network device, like a router, can be weaponized to achieve a broad impact across numerous global targets. By controlling the software update delivery mechanism, PlushDaemon gains a powerful vector for initial access and persistent presence within target networks. This method allows attackers to distribute malware, conduct espionage, or further compromise systems by delivering tampered updates that appear legitimate to the end-user and their security software.
The benefits for the attackers are substantial, including the ability to bypass traditional security controls, maintain stealth, and execute widespread, long-term campaigns with high success rates. The use of hacked routers makes detection challenging, as the malicious activity originates from trusted network infrastructure.
Conversely, the risks to organizations are severe. Victims could inadvertently install malicious software disguised as routine updates, leading to system compromise, data exfiltration, operational disruption, and significant financial and reputational damage. The trust placed in software updates is exploited, making it difficult for users or automated systems to discern legitimate updates from malicious ones. This discovery by ESET underscores the critical importance of securing all network infrastructure, especially routers, and implementing robust supply chain security measures to detect and mitigate such sophisticated threats.
(Source: https://www.helpnetsecurity.com/2025/11/19/eset-plushdaemon-dns-hijacking/)


